- Fix such that only services with security descriptor inherit
security properties from client.
- Clean up code - check redundancy with any code in core.
- Functionlity to load one of gridmap, creds or authz rather than all
or none (esp. for ResourceSecurityDesc)

Notes:
- Default authentication method changed to be none. 
- Most methods in *SecurityDescriptor class don't have checks to see
if value has already been set. Need to define schema and validate
presented descriptor, before parsing. 
- If setSubject is used then the proxy/Cert file stuff does not
correspond to the Subject stored, might erase it on a refresh.
- Maybe separate out code used for parsing into a separate package from the
descriptors and config code.

Later:
- Port SecureContainerHandler if need be.
- authz service - standard WSDL, sample and corresponding test ? It is
OGSA-Authz- still relevant ?
- GRIM stuff - commented out for now.
- JNDI initialization of the security descriptor i.e move
SecurityCOnfig stuff such that it is done at start up ?
- Security descriptor file name and service path are used in all
palce. Create a datatype with those two ?


Notes about SAML Authorization callout: (to be moved to documentation)

- SAML Authorization as custom authorization

The distribution has an authorization mechanism that can be configured
as a custom authorization to send out authorization queries to an
authorizaton service which conforms to the specification as defined in
the GGF OGSA-Authorization (OGSA_AuthZ) working group. It uses the
SAML protocol to send out authorization query and receive a
authorization decision. The subject invoking the method, the method
invoked and the service endpoint reference are sent to a configured
authorization service as a part of the request. The response received
is parsed and if not permitted an exception is thrown.

The endpoint reference is converted into a string using the following steps:
- the service end point is used as is.
- slash is used as separator
- a hash of the resource properties is appended to the service endpoint

A utility method to do the same has been provided in
org.globus.wsrf.impl.security.util.AuthUtil:

    public static String getEPRAsString(org.apache.axis.MessageContext ctx) 
        throws SecurityException;

To configure a servuce to use SAML Authz callout:

- set authorization to "custom"
- set authzClass to
"org.globus.ogsa.impl.security.authorization.SAMLAuthorizationCallout"
- set authzService property to the endpoint of the authorization
service to contact.

The OGSA-AuthZ specification also defines extension to the SAML
Request and Response datatypes and the authorization callout can be
configured to use either the standard datatypes or the extensions. The
following parameters can be used to configure the authorization
callout:

- Container level property "samlAuthzSimpleDecision": If set to false
will generate request to authz service such that it expects a
SAMLAuthzResponse (not a simple response). If set to true or not
specified, a simple response is requested.

- Container level property "samlAuthzReqSigned": If set to true, the
request is signed. To do this, container credentials are required. If
set to true and no container credentials are found, an error is
thrown. If set to false or not specified, the request is not signed.

A sample authz service has been included in the distrubution that can
be used as a template to write authz services. The sample is in the
following location:

wsrf/java/core/samples/authzService


Authz Framework integration notes:
==================================

TODO:

- Maybe a test for TrustedTargetHandler 
- Add XACML PDP  and tests
- Clean up code.

Others:

- By default, resource authz config is global properties in
server-config. To not use that, use
setAuthzChain(ServiceAuthorizationChain)
- SelfAuthz, HostAuthz only one instance was being created - but with
PDP and Interceptor interface - need to figure out if it can still be
maintained as singleton class
- PDPConfig as a part of ServiceAuthzChain - can configure only one
instance for all interceptors on chain. But interceptors might get
data differently.


Username/password notes:
=======================
- jre/lib/ext/jaasmod.jar (or any login module files)
- jre/lib/security/java.security - configuration file

login.configuration.provider=com.sun.security.auth.login.ConfigFile 
login.config.url.1=file:${java.home}/lib/security/jaas.config

- jaas.config

Login {
	com.sun.security.auth.module.NTLoginModule required;
};

Serialization of descriptor:
============================
- GlobusCredential is not completely serialized. (Shld not be an
issue, just might lead to reloadig of defalt creds)
